XKMS Requirements - Fedrick Hirsch & Mike Just

JR: Noted that there is an overlap between requirements and design; some
requirements are design.
JR: MUST there be support for SOAP 1.1 & XMLP?
FH: Only SOAP initially, XMLP will not be in timeframe.
SF: Add XMLP when it is ready; only SOAP for now.
SF: Should signing be transport agnostic or use SOAP signature?
FH: SOAP signature won't be in timeframe, don't want to second-guess it,
so we must be transport agnostic.
SM: Is PKI agnosticism for the client or the server?
FH: For the client; the server can do what it wants, may rely on PK.
Don't frame the spec in X.509 but be able to support it.
PHB: The only interesting infrastructures are X.509 and forwarding XKMS
but we must support PGP and others to be friendly to such folks.
SF: Don't leak X.509 into XKMS.
SF: Current reqs mention symmetric key support; is that necessary in first
draft; e.g., kerberos, etc? Do we support now or think about later?
BD: Defer. Whole set of issues WRT kerberos.
SF: We don't want to specify in detail how to send kerberos ticket up?
PHB: Don't want to preclude it.
SF: So we'll defer it.
PHB: Put in words that we will not consider risk model or security
implications of symmetric keys.
BD: Agrees.
PHB: [Something about tennis balls and chainsaws.] Not _not_ a useful
thing, but for TNG.
SF: Make requirements clear that we are managing public keys.
[ General agreement ]
JR: In current requirements [which transpired to be an ambiguous
specification] we should strike latter part of section 2.1.4.
[ Other comments were inaccessible, would be made on-list to
updated requirements doc. ]
SM: It is not clear whether client-specific or server-specific
requirements are separated in the current design document.
MJ: For example, some respond values don't apply to the client
or the server. So we need the distinction in the spec.
BD: Need to state that we keep interactions simple for clients;
i.e., all interactions are client-inititiated; one request, one
response; no session management.

Slide #6:

SF: Do we have a consensus on confidentiality requirements? We may require
that the protocol run over SSL/TLS, but what XKMS fields d we want
confidential?
BD: The entire payload.
MJ: Or private keys.
PHB: Private keys must be encrypted, even if SSL is in use.
SDF: That aside?
BD: If the user has any confidentiality concerns, everything should be
secured.
SF: Aside from private keys, there is no requirement for selective
field confidentiality.
[ General agreement ]
SF: If someone sends an encrypted request, do we mandate an encrypted
response?
BD: Keep it simple. It is a server-speccified option, related to the
server's policy; out of scope for XKMS.
FH: Two trust issues; one is policy: what server does; two is how to trust
server.
SF: No negotiations; see list.
BD: XKMS should not define how to decide initial trust. Low value systems
will use SSL. Service builders will define the trust model of high value
systems.
SF: Client implementations will each define how this is set up; we could
say that all clients must accept the certificate r key of the service in a
KeyInfo?
BD: Yes.
PHB: See XTAML. A complex issue; let us defer until there is a full
solution, not come up with a half-baked solution.
SF: Does this contradict that all clients must accept certain format keys?
FH: Does this add complexity to clients?
BD: All clients must be able to handle KeyInfo.
FH: Client may not understand KeyInfo.
SF: Must have _an_ out of band way to accept key to trust service.
PHB: Not a MUST requirement to plug in an external root; some clients will
have no reason to isntall a different root.
SF: Do we require that either you bake in a root or can accept a trusted key in
some standard format?
PHB: If you are an XKMS responder then you MUST publish your key in some
format; KeyValue. A Server specific requirement; no onus on client.
SF: Just KeyValue?
BD: That's the minimum.
SF: Do we require that clients support responder key-changes?
BD: Hard question; maybe just insert text in the document warning that
this happens.
[ General agreement ]
PHB: See XTAML.

Slide #7:

SF: There's the general issue of maintaining KeyInfo and extending it; for
example, P10 is required.
PHB: Joseph, how do we do this?
JR: In the working group.
SF: Maintain a central registry?
JR: KeyInfo was supposed to be simple and was forced into xmldsig; in
time maybe we'll refactor it all. Until then, leave it open; let different
specs define their own extensions as needed. Namespaces will prevent
conflicts.
misc: [ General problem of multiple definitions of new key info elements;
discussion petered out. ]
JR: Aside: XKMS is like a database lookup.
PHB: Not a database lookup, just a directory lookup.
BD: [something on slide, TBD] is out of scope. We are not
reexpressing/resyntaxing other standards - e.g., PKIX - in XML.

Slide #8:

SF: What is an assertion? What requirements of atomicity do we have? [
Decided this is for spec, not req ].
SF: Are we sticking with numbered "tiers"?
[ General agreement to drop them and just use names ]
SF: Are chaining and referals a requirement for this revision?
BD: Let us stick with what we have; thgey can be hidden by the server. The
client just sees one server.
PHB: this will be covered later.

Slide #9:

PHB: WRT roaming, we don't want to clash with SACRED & IP issues.
FH: The slide just says tghat there is more than one reason to get the
private key from the serve.r
PHB: We may address roaming but may not.
MJ: Aside: Are the requirements just for XKMS 2.0 or are they also for
future revisions of XKMS?
BD: We must amend the charter later for > 2.0 and then updated
requirements; i.e., requirements are just for 2.0
SF: Do we have a concrete requirement for proof of possession of
encryption keys?
PHB: RSA & DSA are the majority of keys we will be working with; there is
nothing _wrong_ with using RSA encryption keys for a digital signature
in POP.
SF: If others; e.g., DH, need support in XKMS they can write their own
document that extends POP for their needs.
SF: Does this mean an IPSEC client couldn't use XKMS?
[ No? ]
SF: Baseline 2.0 clients don't need to support fancy proof of possession
mechanisms for encryption keys; we will just use signing, even for RSA
encryption keys.

Slide #10:

PHB: Element maxOccurs is unbounded in the schema, but a certain server
may only support, e.g., 10000 responses; not possible to QA a server for
infinite responses.
SF: How does a client specify multiple responses wanted, but no more than
60?
PHB: We should add an attribute stating max responses.
SF: We need a requirement that the spec needs to tie down schema cardinalities
whenever they are non-one.
BD: NO paged made of respones (e.g., ask for 1-10, then 11-20...)
SF: WRT template mode, we don't want any complex parameters?
PHB: A template may be unnecessary; the service will know.
SF: Some vendors have expressed a desire for it.
[ Discussion of retrieving just CRLs; agreemenet that this is not
supported without locating a certificate. ]
SF: WRT separating services: Locate service sometimes needed for
encryption (e.g., retrieving SMIME encryption key); validate service not
required in this context.
BD: Locate is similar to a directory lookup. Do we need a
KeyName[Guess|Part] KeyInfo element?
SF: May be useful for laxly locating by name; e.g., sfarrell vs
sfarrell@b.com.
PHB: We could describe in detail how SMIME uses XKMS.
SF: Put this in a separate application node.
PHB: Want to be able to use XKMS for SMIME key retrieval.
SF: Locate can be lax; validate must be strict (e.g., check email address
is in certificate).
SF: Must straighten up KeyName and KeyID. Will come back to this.
PHB: KeyName =~ subject; KeyID =~ URI.
SF: What is ValidityPeriod: When the key expires or the response expires?
BD: Look at the server policy. Validity is server-dependent.
SF: At minimum, outside this period "come back to me".
PHB: SMIME requires historical validity.
SF: Some sense in having duration associated with validate response but do
we _need_ this? Can you just make this out of band in server policy. 90%
of clients don't check old signatures.
FH: As signatures gain acceptance, historical checking will become more
important.
SF: Rat hole. Could be an extension to ask for historical checks and drop
ValidityInterval from base XKMS.
[ No objections ]
PHB: All register components are advisory; the server can override any of
them.
BD: We need words about certificate validity periods, bindings, etc. in
the spec.

Slide #13:

PHB: Reasonable to say a service MUST support TLS, but not a client.
FH: Nontransient signing will be useful for archiving.
PHB: Don't require non-repudiation.
SF: Move on.

Slide #15:

SF: Handling of pending in X BULK is easy; there are different reasons
than XKMS. In XBULK it is the time to process; in XKMS, it may be related
to administrative approval. If a register receives a pending response, how
long before recheck? What about locates during this pending period?
PHB: If the register is not processed, locate doesn't see it. If the
register is processed but the client has not got it, it _is_ registered.
The client may not need to know that it has been processed before other
clients can see it. So locates and validates work as soon as it is
processed.
MH: What if I request an update, this goes pending, the update is
done and others start to use it; I don't yet have the decryption key?
BD: You must get it.
PHB: A pending response needs an indication of the order of magnitude of
when to recheck.
SF: Client behaviour must be specified. If a client gets a pending, how
does he later complete the operation? Validate or register? How to abort?
PHB: Transaction ID. Should we support asynchronous response on all
operations? Validate won't work to download the private key of pended
server-generated key registration. We could look in the request structure
for a flag to say this is a repeasted request by matching transaction ID;
or, better, use a server-generated ticket.
BD: All operations must be client initiated.
SF: If I register a key name and get a binding with a new key name, does
the client forget its proposed name?
PHB: All is advisory.
SF: Does the server support the original proposed key name? E.g., for
locate?
PHB: No.
SF: The problem being SMIME needing to know your _real_ name.
BD: Gets back to a fuzzy match.
SF: Could register many aliases for use in locate; the response is only
canonical for validate.
BD: Slippery slope. Don't solve the universal naming problem. If you don't
register a unique name it won't work.
SF: Clients must expect key name changes. Want to avoid SMIME problem of
needing a signed message before being able to encrypt.
[ General murmurs to move on ]
MJ: Pending not needed for locate/validate; synchronous only.
PHB: Many schema changes; some people say we are confused; not using some
schema features. Two approaches; backwards compatible with old version or
reorganize. We changed register, so lets change everything we need
changed.
SF: Not compatible with XKMS 1.1 but not egregiously incompatible.
PHB: No SAML compatibility nor dependency; different schemas.
SF: May adopt some similar style.
MJ: Should the client pass a requested role to the service or does the
client choose a URL to choose a service.
SF: Client picks URL.
PHB: Extension. Client is not micromanaging service, it is offloading "do
the right thing" to the service.
MJ: All optional items need a good case for them.
PHB: Optionality in what service can deliver is _not_ up to client.
SF: This is clear on the list.
FH: Use of SOAP faults is unnecessary linkage. Use of SOAP integrity is
unnecessary linkage.
SF: Some discussion on SAML list.
BD: SOAP fault when can't generate XKMS response. Distinct from XKMS error
conditions (successful response).
FH: Not clear in draft; should clear up.
BD: Agree; we are specifying messages as SOAP payloads. Should REQUIRE
SOAP usage in 2.0, but be transport independent.
SF: For XKMS 2.0 all messages are SOAP envelope/body/payload.
MN: SOAP security or our signatures?
BD: No referencable SOAP signature.
SF: Want to do something "like" final SOAP signature.
BD: Multiple encoding options in SOAP under body. Do we do an RPC SOAP
encoding of XKMS or require document literal. Probable security problems
with RPC; dsig is not compatible.

Slide #16:

MJ: Must address replay, etc.
SF: Is there a requirement for XKMS clients to support roaming; client
pulling down private key regularly, as SACRED.
PHB: Have to support ability to register a key that will be roamed; maybe
as extension of register; e.g., FordKaliskyRSAKeyType.
SF: Server generated keys is not roaming; it is one-time download. Is it a
requirement to support repeated download of private key?
MJ: Neither doing our own nor referencing others are possible within our
timeframe.
PHB: We generate keypair at server-generated register time; this is not
roaming.
SF: Strong password protocol required for frequent key downloads.
FH: Doing it insecurely not worthwhile.
[ General consensus: not to do roaming (unfortunately) ]
MN: Current charter mentions SACRED. Should not be incompatible.
SF: Is chaining in scope for 2.0. The client will be unaware, but will a
standard XKMS client implementation work in a responder.
PHB: Need protection against livelock and deadlock. Do we make this a SOAP
routing issue or XMLP?
BD: Let us not think about it.
SF: Would like four corner model to work; do we need to think about it;
are there any issues?
BD: Let us not look at liability and forwarding policy issues of four
corner model.
SF: Agreed; we just want the scenario to work.
[ General consensus ]
BD: Think it should work; there is no client identifier in the request so
chaining should work without problem.
SF: Maybe a response flag if authoritative or not.
BD: > 2.0; maybe an extension. See service policy.
SF: KeyId and KeyName meaning in protocol; why the two?
JR: Does RetrievalMethod work? It is slightly different.
PHB: KeyID is how I can use the key. Need to bind a key to a protocol
identifier and port; not just a person.
SF: Then why do we need a person?
JR: Can we look in the KeyInfo structure for PGP or X.509 data to determine
whether PGP or SMIME for mailto?
SF: No; X.509 can be used in PGP.
BD: this is not like KeyID or KeyName.
SF: Which is the database primary key?
JR: Do we need a protocol binding?
PHB: yes.
BD: Originally expected a usage context list; e.g., UseKeyFor or
UseKeyWith (SMIME vX & foo@bar.com); not the confusing KeyID/KeyName
that we wound up with.
PHB: It originally was as above, but this was taken out.
SF: Will key name be primary key?
PHB: Yes.
SF: What flavour of key name; what messages does it appear in and where?
[ Consensus to defer ]
SF: If I register for foo, can it be used for bar? Exclusive or inclusive?
BD: Can't stop clients from doing what they want.
MJ: UseKeyWith allows you to pick among credentials.
PHB: Don't be overly restrictive; just an advisory hint.
SF: So KeyName is it; KeyID will go, and UseKeyWith will be added in an
advisory role.
PHB: When you register a key for sfarrell@baltimore.ie it has meaning.
SF: Is KeyName opaque or not?
PHB: No this is the UseKeyWith.
BD: Why can't the server just copy UseKeyWith around unchanged, without
comprehension?
SF: How does the client ask for a key for an email address?
PHB: Define URI formats so we can have meaning.
SF: Isn't this aliasing in a protocol-specific way? So, KeyName is
unstructure, UseKeyWith is structured.
MH: Then UseKeyWith is a structured alias for an unstructured unique
KeyName?
PHB: Yesish. UseKeyWith must be authenticated by the server for meaningful
validation purposes.
JR: Are queries conjunctive or disjunctive?
BD: Conjunctive; AND.
SF: Are multiple contents of KeyInfo AND or OR?
BD: Unsure.
SF: Not trying to solve general secure database lookup.
JR: It is critical to define the meaning of queries.
SF: These aren't mutually exclusive.
JR: Look at secure database queries.
FH: Are strings okay [ for Respond, etc. ] or do we want
namespace-qualified names (or URIs)?
PHB: Strings now for legibility of a closed set. Let us specify that
relative URIs are in a standard namespace.
[ Consensus to work on requirement doc updates now and then request
comments on it. ]

B R E A K

XKMS Base Specification - Phill Hallam-Baker

PHB: XKMS 1.2 or 2.0?
[ Consensus 2.0 ]
PHB: Client can never be required to ask a question; no negotiation.
SF: Criticality problem? If client asks for A, B, C what does server do if
it does not know C?
PHB: It does A, B. Service ignores unknowns.
SF: Do we need to distinguish between I don't do SPKI and there is no SPKI
information?
PHB: Don't think so. Client just gets nothing.
PHB: WSDL is at the method leverl; e.g., I do register and revoke but not
recover.
SF: So WSDL doesn't advertise that I do X.509 but not PGP; see policy
instead.
BD: RPC or document literal encoidng in SOAP?
SF: Blair, can you mail a bit of info on the RPC encoding to the list?
PHB: Reference to dsig may preclude RPC.
PHB: Do we separate user register message from server register message?
SF: May be a reason; issue came up before.
PHB: Plus it would clear up AuthServerInfo vs AuthUserInfo.
SF: Will average client want both?
BD: Yes; sign and encrypt.
SF: Suggests that we don't split register user from register server.
SF: What is a unique key binding? How do I revoke?
MJ: If I reissue a binding, what do I sign with?
SF: If I revoke a key, do all bindings with that key get revoked?
[ Consensus to punt to list. ]
PHB: Be clear about revoke: assertion or key? Revoke as much as is
specified? E.g., revoke just a key revokes all instances? Revoke key plus
name revokes just that bindingg?
PHB: Must include service URL (trust model) in response.
SF: We have SSL and payload security; what about none?
BD: Yes; trusted intranet.
PHB: Service MUST support SSL. Service MUST support no security. Service
SHOULD support payload security. Client MUST support SSL or no security.
Client SHOULD support payload security.
SF: There are arguments for not doing our own SOAP header for payload
security; overlaps with WS-security. So do we do payload security in our
own body element?
[ General agreement. ]
MJ: Digest of request always needed in response for security; not only if
the response is authenticated.
PHB: Responder may not know on what URI the client request came in on?
SF: Every response MUST include service URI and request digest.
[ General agreement. ]
SF: Does anyone think we need more than namespace for versioning?
[ No. ]
JR: So lose the version in the Respond element.
PHB: What about a schema update that just adds to the schema; this can be
done without a namespace change?
JR: Namespaces are sufficient.
[ General agreement for use of namespace for versioning. ]
SF: Phill, what about timing?
PHB: New version of document mid to late January.

XBULK - Merlin Hughes

Presentation skipped

SF: XBulk Spec to be done ASAP. Merlin will edit.

W3C Process Update - Joseph Reagle, W3C

Patent disclosure obligation; copyright on original XKMS document okay
for new version; intented for royalty-free patents; by signing up to
participant list you agree to charter policy. We are now an official W3C
group.